Tutorial: Install and Configure SSL/TLS Certificates with Certbot for NGINX on Ubuntu.

Let’s Encrypt is a free, automated, and open certificate authority that provides SSL/TLS certificates. In this tutorial, we’ll show you how to install Let’s Encrypt certificates for Nginx on Ubuntu and how to automate the renewal process using Certbot.

Step 1: Install Certbot

Certbot is a free, open-source software tool that automates the process of obtaining and renewing SSL/TLS certificates from Let’s Encrypt.

To install Certbot, run the following command:

sudo apt install certbot

Step 2: Generate Let’s Encrypt Certificate

Next, we’ll use Certbot to generate a Let’s Encrypt SSL/TLS certificate for our domain.

Run the following command, replacing example.com with your domain name:

sudo certbot certonly --nginx -d example.com,*.example.com --preferred-challenges dns-01

Certbot will automatically configure Nginx to use the SSL/TLS certificate.

Step 3: Configure Nginx to Use SSL/TLS

Now that we have the SSL/TLS certificate, we need to configure Nginx to use it.

Create a new server block in the Nginx configuration file /etc/nginx/sites-available/example.com with the following content:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;
    index index.php index.htm index.html;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";

    # Uncomment the following, if you're website is running WordPress
    #  location / {
    #     try_files $uri $uri/ /index.php?$args;
    # }
    #  location ~ \.php$ {
    #     try_files $uri =404;
    #     fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    #     fastcgi_index index.php;
    #     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #     include fastcgi_params;
    # }

Save and close the file, then activate the server block by creating a symbolic link in the sites-enabled directory:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Test the Nginx configuration:

sudo nginx -t

If there are no errors, reload Nginx:

sudo systemctl reload nginx

Let’s Encrypt SSL/TLS certificates expire after 90 days. Certbot automatically installs a script that will run twice daily, at 12:00am and 12:00pm, and will renew any expiring certificates. You don’t need to do anything with your Cron jobs.

Leave a Reply

Scroll to top